b"September 2005\nReport No. 05-037\n\n\nControls Over the\nRisk-Related Premium System\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                       Report No. 05-037\n                                                                                         September 2005\n\n                                    Controls Over the Risk-Related Premium System\n\n                                    Results of Audit\n\n                                    We concluded that the management, operational, and technical controls for the\nBackground and                      RRPS provide reasonable assurance of adequate security. The confidentiality,\nPurpose of Audit                    integrity, and availability of the system and associated data were maintained\n                                    through a combination of sound controls including:\nThe Risk-Related Premium                 \xe2\x80\xa2 risk assessments and security reviews,\nSystem (RRPS) is the FDIC\xe2\x80\x99s              \xe2\x80\xa2 logical access controls,\nsystem of record for the risk            \xe2\x80\xa2 data integrity edit checks, and\nassessment classification of             \xe2\x80\xa2 business continuity planning.\nfinancial institutions. The\nRRPS contains examination and       In addition, the FDIC has developed a certification and accreditation (C&A)\nsupervisory action information      process to validate that the security controls implemented in an information\nthat is considered highly\nsensitive and is not available to\n                                    system are commensurate with risks throughout the FDIC\xe2\x80\x99s computing\nthe public. The insurance           environment. In August 2005, the FDIC started the C&A for the RRPS, which\npremium assessed to each            includes extensive testing of the key management, operational, and technical\ninstitution is based on the         controls.\nbalance of insured deposits held\nduring the preceding two            Although key application controls generally operated as intended, we identified\nquarters and on the degree of       the following deficiencies:\nrisk the institution poses to the       \xe2\x80\xa2 the RRPS security plan did not fully and accurately describe the current\nBank Insurance Fund or the                   management, operational, and technical controls;\nSavings Association Insurance\nFund. The FDIC uses a risk-\n                                        \xe2\x80\xa2 a software configuration management (SCM) plan was not fully\nbased premium system that                    developed or implemented; and\nassesses higher rates on those          \xe2\x80\xa2 read and write access rights of RRPS users were not periodically\ninstitutions that pose greater               reviewed.\nrisks to the insurance fund.\n                                    These deficiencies posed the following risks to the RRPS:\nThe RRPS calculates assessment\nrates based on data from such           \xe2\x80\xa2 not all appropriate security controls for RRPS have been considered and\nsources as the institutions\xe2\x80\x99 Call           implemented,\nReports; Thrift Financial               \xe2\x80\xa2 improper and/or unauthorized software changes could be made to RRPS,\nReports; examination data from              and\nthe FDIC, Office of the                 \xe2\x80\xa2 RRPS data could be changed or improperly disclosed by individuals who\nComptroller of the Currency,                no longer need RRPS read and write capabilities.\nFederal Reserve Board, and\nOffice of Thrift Supervision;\n                                    Collectively, these deficiencies pose risks to the confidentiality, integrity, and\nand input from FDIC personnel.\n                                    availability of the RRPS; however, the risks are at least partially mitigated by the\nThe audit objective was to          ongoing C&A process.\ndetermine whether the RRPS\napplication provides the            Recommendations\nappropriate level of\nconfidentiality, data integrity,    We recommended that the FDIC:\nand availability through the use\n                                     \xe2\x80\xa2 correct identified deficiencies in and approve the updated RRPS security\nof effective management,\noperational, and technical               plan,\ncontrols.                            \xe2\x80\xa2 develop and implement an SCM plan for RRPS, and\n                                     \xe2\x80\xa2 conduct semiannual reviews of all RRPS user access rights.\nTo view the full report, go to\nwww.fdicig.gov/2005reports.asp\n                                    FDIC management agreed with the recommendations and has taken actions to\n                                    address them.\n\x0c                             TABLE OF CONTENTS\n\nBACKGROUND                                                                 1\n\nRESULTS OF AUDIT                                                           3\n\nFINDINGS AND RECOMMENDATIONS                                               5\n\nFINDING A: SECURITY PLAN                                                   5\n     RECOMMENDATION                                                        8\n     CORPORATION COMMENTS AND OIG EVALUATION                               8\n\nFINDING B: SOFTWARE CONFIGURATION MANAGEMENT                               8\n     RECOMMENDATION                                                       11\n     CORPORATION COMMENTS AND OIG EVALUATION                              11\n\nFINDING C: ACCESS REVIEWS                                                 11\n     RECOMMENDATION                                                       12\n     CORPORATION COMMENTS AND OIG EVALUATION                              13\n\nAPPENDIXES\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                             14\nAPPENDIX II: RRPS SYSTEM OVERVIEW                                         16\nAPPENDIX III: DATA INTEGRITY TESTS                                        17\nAPPENDIX IV: SCM PLAN ELEMENTS AS DESCRIBED IN THE                        18\nSOFTWARE CONFIGURATION MANAGEMENT GUIDEBOOK\nAPPENDIX V: CORPORATION COMMENTS                                          20\nAPPENDIX VI: MANAGEMENT RESPONSE TO RECOMMENDATIONS                       24\n\nTABLES\n\nTable 1: Coverage of Elements in the RRPS Security Plan                    5\nTable 2: SCM Plan Elements Not Addressed in the RRPS Maintenance Manual    9\nTable 3: Access Reviews by DSC Regional Managers                          11\n\x0cFederal Deposit Insurance Corporation                                                                    Office of Audits\n801 17th Street NW, Washington, DC 20434                                                    Office of Inspector General\n\nDATE:                                  September 23, 2005\n\nMEMORANDUM TO:                         Arthur J. Murton, Director\n                                       Division of Insurance and Research\n\n                                       Michael E. Bartell\n                                       Chief Information Officer and\n                                       Director, Division of Information Technology\n\n\n\nFROM:                                  Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               Controls Over the Risk-Related Premium System\n                                       (Report No. 05-037)\n\nThis report presents the results of the Federal Deposit Insurance Corporation (FDIC) Office of\nInspector General\xe2\x80\x99s (OIG) audit of system controls over the Risk-Related Premium System\n(RRPS). The RRPS, a major application,1 is the FDIC\xe2\x80\x99s system of record for the risk assessment\nclassification of financial institutions and is housed in the FDIC\xe2\x80\x99s Virtual Supervisory\nInformation on the Net (ViSION) Application.2 The RRPS contains examination and\nsupervisory action information that is considered highly sensitive and is not available to the\npublic. The objective of this audit was to determine whether the RRPS application provides the\nappropriate level of confidentiality, integrity, and availability through the use of effective\nmanagement, operational, and technical controls. Appendix I describes in detail our objective,\nscope, and methodology.\n\nBACKGROUND\n\nThe FDIC maintains the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund\n(SAIF) by assessing depository institutions an insurance premium twice a year. The premium\namount is based on the balance of assessable deposits held during the preceding two quarters and\non the degree of risk the institution poses to the insurance fund. The FDIC\xe2\x80\x99s risk-based premium\nsystem assesses higher rates for institutions that pose greater risks to the BIF or SAIF. To\nassess premiums, the FDIC places each institution in one of nine risk categories using a two-step\nprocess based first on capital ratios and second on other relevant information such as the\nresults of:\n              \xe2\x80\xa2    the last examination by the primary federal regulator;\n\n1\n  OMB Circular A-130, Appendix III, defines a major application as one that requires special attention to\nsecurity due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or\nmodification of, the information in the application. The FDIC has designated seven applications, including the\nRRPS, as major applications.\n2\n  ViSION is an FDIC major application and mission-critical system that provides access to financial, examination,\nand supervisory information on financial institutions.\n\x0c               \xe2\x80\xa2   independent, joint,3 or concurrent FDIC examinations; and\n               \xe2\x80\xa2   off-site statistical analysis of reported financial statements.\n\nThe RRPS calculates assessment rates based on data from such sources as Call Reports; Thrift\nFinancial Reports; examination data from the FDIC, Office of the Comptroller of the Currency\n(OCC), Federal Reserve Board (FRB), and Office of Thrift Supervision (OTS); and input from\nFDIC personnel. In accordance with guidelines approved by the FDIC Board of Directors, the\nDivision of Insurance and Research (DIR) uses this information to determine the assessment rate\nfor each institution. Appendix II contains an overview of the RRPS.\n\nDIR performs the assessment process twice a year. During this process, DIR assigns and updates\nthe assessment risk classifications for all financial institutions. The financial institutions receive\nquarterly assessments based on the assessment ratings. At the completion of each assessment\nperiod, DIR meets with the Division of Information Technology (DIT) to discuss RRPS changes\nthat may be needed as a result of possible revised legislative requirements or new system\ncapabilities. When system changes are made, the RRPS is retested prior to the next assessment\nperiod. DIR is responsible for the RRPS; however, the Division of Supervision and Consumer\nProtection (DSC) has the majority of RRPS users (about 2,000).\n\nApplication Control Guidance\n\nThe Federal Information Security Management Act of 2002 (FISMA), Public Law 107-347,\nrequires each federal agency to develop, document, and implement an agency-wide information\nsecurity program to provide security for the information and information systems that support the\noperations and assets of the agency, including those provided or managed by another agency,\ncontractor, or other sources. Under FISMA, the National Institute of Standards and Technology\n(NIST) is responsible for developing standards and guidelines, including minimum requirements,\nfor providing adequate information security for federal agency operations and assets. NIST\nissued Special Publication (SP) 800-53, Recommended Security Controls for Federal\nInformation Systems, which states that security controls are the management, operational, and\ntechnical safeguards and countermeasures prescribed for an information system which, taken\ntogether, should adequately protect the confidentiality, integrity, and availability of the system\nand its information. SP 800-53 defines these security controls as follows.\n\n      \xe2\x80\xa2    Management controls focus on the management of risk and the management of\n           information system security. These controls address: (1) risk assessment; (2) security\n           planning; (3) acquisition of information systems and services; and (4) certification,\n           accreditation, and security assessments.\n\n      \xe2\x80\xa2    Operational controls are primarily implemented and executed by people (as opposed to\n           systems). These controls address: (1) personnel security, (2) physical and environmental\n           protection, (3) contingency planning and operations, (4) configuration management,\n           (5) hardware and software maintenance, (6) system and information integrity, (7) media\n           protection, (8) incident response, and (9) security awareness and training.\n\n3\n    An examination performed by both the FDIC and another federal or state regulatory agency.\n\n\n                                                          2\n\x0c      \xe2\x80\xa2    Technical controls are primarily implemented and executed by the information system\n           through mechanisms contained in the hardware, software, or firmware4 components of\n           the system. These controls address: (1) user identification and authentication, (2) logical\n           access control, (3) audit and accountability, and (4) system and communications\n           protection.\n\nSystem Certification and Accreditation (C&A)\n\nNIST 800-37, Guide for the Security Certification and Accreditation of Federal Information\nSystems, states that agency officials must have the most complete, accurate, and trustworthy\ninformation possible on the security status of their information systems in order to make timely,\ncredible, risk-based decisions regarding whether to authorize operation of those systems. The\ninformation and supporting evidence needed for security accreditation are developed during a\ndetailed security review of an information system, typically referred to as security certification.\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls in an information system, made in support of security accreditation, to\ndetermine the extent to which the controls are implemented correctly, operating as intended, and\nproducing the desired outcome with respect to meeting the security requirements for the system.\nThe results of a security certification are used to reassess the risks and update the system security\nplan, thus providing the factual basis for an authorizing official to render a security accreditation\ndecision. The steps performed in the C&A process are dependent on the level of risk defined as\nlow-, moderate-, or high-impact in an operating system.\n\nThe FDIC has developed a C&A process to validate that the security controls implemented in an\ninformation system are commensurate with the risks throughout the FDIC computing\nenvironment. In July 2004, the FDIC performed a low-impact C&A for the RRPS which,\naccording to NIST guidance, entails only a documentation review of the controls. Beginning in\n2005, the FDIC planned to perform a moderate-impact C&A, which includes extensive testing of\nkey management, operational, and technical controls, for all of its major systems, including the\nRRPS. The C&A for the RRPS began in August and will be completed by December 2005.\n\n\nRESULTS OF AUDIT\n\nThe management, operational, and technical controls for RRPS provide reasonable assurance of\nadequate security. The confidentiality, integrity, and availability of the system and associated\ndata were maintained through a combination of sound controls, including:\n    \xe2\x80\xa2 risk assessments and security reviews,\n    \xe2\x80\xa2 logical access,\n    \xe2\x80\xa2 data integrity edit checks (details are provided in Appendix III), and\n    \xe2\x80\xa2 business continuity planning.\n\n\n\n\n4\n    Firmware is hardware that includes embedded software, i.e., a read-only or programmable read-only memory chip.\n\n\n                                                         3\n\x0cAlthough key application controls generally operated as intended, we identified the following\ndeficiencies in the security plan, software configuration management, and access reviews that\ncould affect the security of the RRPS.\n.\n    \xe2\x80\xa2 The security plan did not fully and accurately describe the current management,\n        operational, and technical controls (Finding A).\n    \xe2\x80\xa2 A software configuration management (SCM) plan was not fully developed or\n        implemented (Finding B).\n    \xe2\x80\xa2 RRPS users\xe2\x80\x99 read and edit access rights were not periodically reviewed (Finding C).\n\nAs a result of these deficiencies, the RRPS is exposed to the following risks:\n\n    \xe2\x80\xa2   Not all appropriate security controls for RRPS have been considered and implemented.\n    \xe2\x80\xa2   Improper and/or unauthorized software changes could be made to RRPS.\n    \xe2\x80\xa2   RRPS data could be changed or improperly disclosed by individuals who no longer need\n        read and edit capabilities.\n\nCollectively, these deficiencies pose risks to the confidentiality, integrity, and availability of the\nRRPS; however, the risks are at least partially mitigated by the ongoing C&A process.\n\n\n\n\n                                                   4\n\x0c                           FINDINGS AND RECOMMENDATIONS\n\nFINDING A: SECURITY PLAN\n\nCondition: The RRPS security plan, dated March 29, 2005, adequately addressed the RRPS\nsystem security controls. However, some of the plan\xe2\x80\x99s elements need to be more fully explained.\nThe results of our assessment of the RRPS security plan based on NIST SP 800-18, Guide for\nDeveloping Security Plans for Information Technology Systems, are summarized in Table 1.\n\nTable 1: Coverage of Elements in the RRPS Security Plan\nSecurity Plan       NIST SP 800-18 Requirements                                  Exceptions\nSection\nSystem Identification   System Name/Title, Information Contacts, Assignment      None\n                        of Security Responsibility, System Operational Status,\n                        General Description/Purpose, System Environment,\n                        System Interconnection/Information Sharing,\n                        Applicable Laws or Regulations Affecting the System,\n                        General Description of Information Sensitivity\nManagement Controls     Risk Assessment and Management                           The plan does not provide information\n                                                                                 on where and how to obtain the most\n                                                                                 recent Risk Assessment Report.\n                        Review of Security Controls                              None\n                        Rules of Behavior                                        The plan does not specify a\n                                                                                 requirement to provide users with a\n                                                                                 copy of the Rules of Behavior prior to\n                                                                                 obtaining access to RRPS.\n                        Planning for Security in the Life Cycle                  The plan does not describe disposal\n                                                                                 requirements for system termination\n                                                                                 such as procedures on how\n                                                                                 information would be archived,\n                                                                                 cleared, or purged from the RRPS.\n                        Authorize Processing                                     None\nOperational Controls    Personnel Security                                       The plan does not indicate the\n                                                                                 sensitivity level (low, medium, and\n                                                                                 high) designations for DIT contractor\n                                                                                 personnel involved in RRPS\n                                                                                 maintenance and technical support.\n\n                                                                                 The plan does not specify termination\n                                                                                 procedures for users in adverse\n                                                                                 situations.\n\n                                                                                 Note: FDIC Circular 1360.15, Access\n                                                                                 Control for Automated Information\n                                                                                 Systems, is referenced as containing\n                                                                                 procedures for reviewing user access.\n                                                                                 The reviews have not been performed\n                                                                                 (see Finding C).\n                        Physical and Environmental Protection                    None\n                        Production, Input/Output Controls                        Although the plan indicates that\n                                                                                 specific electronic processing\n                                                                                 procedures have been established to\n\n\n\n\n                                                      5\n\x0cSecurity Plan          NIST SP 800-18 Requirements                      Exceptions\nSection\n                                                                        handle data and media from external\n                                                                        agencies, no information is included\n                                                                        on where and how to obtain these\n                                                                        procedures.\n\n                                                                        Labeling the data sensitivity (e.g.,\n                                                                        Privacy Act or proprietary data) of\n                                                                        printed output is not addressed.\n                       Contingency Planning                             None\n                       Application Software Maintenance Controls        The plan does not require that a\n                                                                        Configuration Management Plan be\n                                                                        developed and implemented as\n                                                                        required by FDIC Circular 1320.4,\n                                                                        FDIC Software Configuration\n                                                                        Management Policy (see Finding B).\n\n                                                                        The plan does not address migration\n                                                                        procedures (i.e., movement of the\n                                                                        software through the development\n                                                                        stage to the test stage to the\n                                                                        production stage) to prevent using\n                                                                        incorrect versions of software.\n                       Data Integrity/Validation Controls               None\n                       Documentation                                    None\n                       Security Awareness and Training                  None\nTechnical Controls     Identification and Authentication                None\n                       Logical Access Controls                          None\n                       Public Access Controls                           None\n                       Audit Trails                                     None\n\n\nDuring our fieldwork, we provided DIR with the security plan exceptions noted in this report.\nThe ISM, in coordination with DIT personnel, immediately began addressing our concerns.\n\nCause: The deficiencies noted in the RRPS security plan were similar to those identified in a\nprevious Independent Security Review conducted in 2003. The DIR Information Security\nManager (ISM) responsible for RRPS did not verify and ensure that all of the previously\nidentified deficiencies had been corrected before the March 29, 2005 security plan was approved.\n\nCriteria: A security plan for an information system helps to ensure that agreed-upon security\ncontrols planned or in place are fully documented. In addition, the security plan provides a\ncomplete description of the information system, including supporting documentation such as the\nkey documents that support an organization\xe2\x80\x99s information security program. Office of\nManagement and Budget (OMB) Circular A-130, Appendix III, requires that agencies prepare\nsecurity plans for their general support systems and major applications. OMB outlines the\nminimum controls that must be described in system and application security plans and requires that\nsecurity plans comply with NIST standards.\n\n\n\n\n                                                     6\n\x0cNIST SP 800-18 states that the purposes of system security plans are (1) to provide an overview\nof the security requirements of the system and description of the controls in place or planned that\nmeet those requirements and (2) to delineate the responsibilities and expected behavior of all\nindividuals who access the system.\n\nNIST SP 800-53, control number PL-1, Security Planning Policy and Procedures, states that the\norganization develops, disseminates, and periodically reviews/updates: (1) a formal,\ndocumented, security planning policy that addresses purpose, scope, roles, responsibilities, and\ncompliance; and (2) formal documented procedures to facilitate the implementation of the\nsecurity planning policy and associated security planning controls. Further, SP 800-53, control\nnumber PL-3, System Security Plan Update, states that the organization should review the\nsecurity plan for the information system to address system/organizational changes or problems\nidentified during the plan implementation or security control assessments.\n\nNIST SP 800-37 states that security plans should be updated and approved prior to the\nassessment of security controls during the C&A process.\n\nFDIC Circular 1310.3, Information Technology Security Risk Management Program, dated\nJuly 6, 2005, states that the divisional program manager is responsible for preparing a security\nplan that documents the management, operational, and technical security controls intended to\nprotect information assets. The circular incorporates guidance included in NIST publications.\n\nEffect: The RRPS security plan does not fully address the requirements described in NIST\nSP 800-18. Therefore, there is a risk that not all appropriate security controls for RRPS have\nbeen considered and implemented to protect the confidentiality, integrity, and availability of the\nsystem and the data it processes. The deficiencies we identified in the security plan could result\nin the following:\n    \xe2\x80\xa2 The most current risk assessment may not be used to mitigate security risks if there is no\n        reference to the location and date of the latest risk assessment performed. Consequently,\n        the wrong set of risks could be mitigated, or the high risks may not be addressed.\n    \xe2\x80\xa2 New users may not be aware of their security responsibilities when accessing RRPS if\n        they are not provided with the Rules of Behavior prior to receiving system access. User\n        awareness training, which includes the Rules of Behavior, is given only once a year.\n    \xe2\x80\xa2 Sensitive information in RRPS could be exposed to unauthorized access at the end of the\n        system life cycle if disposal requirements are not defined and planned.\n    \xe2\x80\xa2 Risk of unauthorized activities could increase if the appropriate level of screening of the\n        contractor personnel involved in system maintenance and technical support is not\n        performed because position sensitivity levels (low, medium, and high) have not been\n        designated.\n    \xe2\x80\xa2 Risk of unauthorized activities of disgruntled employees could increase if termination\n        procedures for users under adverse situations are not readily identified and available.\n    \xe2\x80\xa2 Risk of improper disclosure of sensitive data could increase if procedures for handling\n        the receipt of sensitive data and media from external agencies are not readily identified\n        and available.\n\n\n\n\n                                                 7\n\x0c   \xe2\x80\xa2   Risk of unauthorized disclosure of sensitive information (e.g., Privacy Act or proprietary\n       data) could increase if there is no requirement to properly label the sensitivity level of\n       printed output data.\n   \xe2\x80\xa2   Risk of errors and omissions from incorrect versions of software placed into production\n       could increase if formal migration procedures (development to test to production\n       procedures) are not readily identified and available.\n\nThe risks posed by the deficiencies in the security plan are heightened because of the changing\ncontrol environment affecting RRPS. As a result of the FDIC\xe2\x80\x99s reorganization and\ntransformation, key RRPS personnel have departed, and the status of the remaining personnel\nand contractors is uncertain. Keeping policies, procedures, and system documentation as current\nand complete as possible is critical in ensuring the adequacy of controls for system operations in\na changing environment.\n\nRECOMMENDATION\n\n(1) We recommend that the Director, DIR, correct the deficiencies in and approve the updated\nRRPS security plan.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn September 13, 2005, the Director, DIR, provided a written response that is presented in its\nentirety in Appendix V of this report. DIR agreed with the recommendation and provided a copy\nof the revised security plan. The revised security plan adequately addressed the deficiencies\nsummarized in Table 1 of this report. DIR also indicated that the security plan will be modified\nwhen: (1) NIST or OMB update requirements for major application security plans, (2) RRPS\napplication controls or procedures are modified, and/or (3) internal reviews or external security\naudits require modifications. The security plan is expected to be approved by October 14, 2005.\n\nThe actions taken and planned by management are responsive to the recommendation. The\nrecommendation is resolved but will remain undispositioned and open until we have determined\nthat agreed-to corrective action has been completed and is effective.\n\nFINDING B: SOFTWARE CONFIGURATION MANAGEMENT\n\nCondition: The RRPS project team did not develop an SCM plan in accordance with FDIC and\nNIST guidelines. Specifically, the RRPS Project Team did not develop an SCM plan in\naccordance with the FDIC\xe2\x80\x99s SCM plan guidance.\n\nThe March 29, 2005 RRPS security plan referenced the RRPS Maintenance Manual, dated\nNovember 2002, as the source for maintaining and updating software configuration. The\nMaintenance Manual contains project documentation references, points of contact, system\ndescription, and the process for handling change requests. However, as indicated in Table 2 on\nthe next page, the Maintenance Manual does not adequately address required plan elements\n\n\n\n\n                                                8\n\x0cspecified in FDIC guidelines. Appendix IV provides a detailed description of the SCM plan\nelements as described in the FDIC\xe2\x80\x99s Software Configuration Management Guidebook, dated\nJuly 22, 2003.\n\nTable 2: SCM Plan Elements Not Addressed in the RRPS Maintenance Manual\n\n    SCM Plan Element                           Plan Requirements\n\n    CM Organization                            Roles and Responsibilities\n                                               (Includes only names of contacts)\n                                               Tools/Environment\n                                               Training\n\n    Configuration Identification               Identification Methods\n\n    Configuration and Change Control           CM Repository\n                                               View and Branch Management\n                                               Project Baselines\n                                               Document Processing and Approval\n                                               Change Request Processing and Approval\n                                               (Focus was on the form of the request)\n                                               Change Control Board\n                                               Release Process\n\n    Status Accounting                          Reports\n\n    Configuration Evaluations                  Physical Configuration Audit\n                                               Functional Configuration Audit\n                                               Milestones\n                                               Subcontractor and Vendor Software Control\n\nThe RRPS Project Team is using two SCM tools in the absence of a formal SCM plan--StarTeam\nfor the software residing on the servers and Endevor for the software residing on the mainframe.5\nHowever, only two StarTeam capabilities had been implemented at the time of our review--\nsoftware documentation and a change request facility. The following key StarTeam capabilities\nhave not been implemented:\n\n      \xe2\x80\xa2 software release comparison with date/time stamp;\n      \xe2\x80\xa2 change tracking and traceability;\n      \xe2\x80\xa2 file locking to prevent simultaneous access between users;\n      \xe2\x80\xa2 workflow control for approval process; and\n      \xe2\x80\xa2 rollback to previous software version.\n\nKey features of Endevor have been implemented to control changes and access to the RRPS\nsoftware residing on the mainframe.\n\n\n5\n RRPS is considered a client/server application. The functions of client/server applications are distributed between\ndifferent computer platforms such as servers and the mainframe.\n\n\n                                                         9\n\x0cCause: The RRPS Project Team indicated that factors such as the recent DIT reorganization and\ncontract consolidation efforts affected the completion of the SCM plan for RRPS. As a result,\nwork on both the SCM plan and StarTeam implementation was delayed until June 2005.\n\nCriteria: An SCM program ensures that the integrity of the system software is maintained\nduring a system\xe2\x80\x99s life cycle. Key components of an SCM program include developing an SCM\nplan and using automated tools to track and control software changes.\n\nNIST SP 800-53, CM-2, Baseline Configuration, calls for organizations to develop, document,\nand maintain a current baseline configuration of an information system and an inventory of the\nsystem\xe2\x80\x99s constituent components. CM-2 also indicates that an organization should update the\nbaseline configuration as an integral part of information system component installations and\nshould employ automated mechanisms to maintain an up-to-date, complete, accurate, and readily\navailable baseline configuration. CM-3, Configuration Change Control, states that an\norganization should document and control changes to an information system. Information\nsystem changes should be approved by appropriate organizational officials in accordance with\norganizational policies and procedures.\n\nFDIC Circular 1320.4, FDIC Software Configuration Management Policy, dated July 8, 2003,\nstates that an SCM plan should be developed and implemented for all applications no later than\nDecember 31, 2003. The circular includes specific responsibilities and guidance for preparing\nand implementing the plan. The system development representative (project manager) is\nresponsible for preparing the SCM plan. The circular requires that application SCM plans and\nSCM tools comply with the procedures described in the Software Configuration Management\nGuidebook, dated July 22, 2003.\n\nEffect: DIT recently completed an organizational transformation that resulted in consolidating\nthe number of application support contractors. The current RRPS contractor was not named as\none of the four remaining contractors. As a result, the current contractor may not be supporting\nRRPS in the future. In addition, DIT has downsized and has lost many personnel, including an\nFDIC RRPS project manager. To facilitate the reassignment of responsibilities, current and\nexplicit RRPS software configuration management processes must be in place to ensure that\nsystem documentation and SCM procedures are understood by new FDIC or contractor\npersonnel.\n\nWithout an SCM plan, the RRPS could be exposed to unauthorized changes, errors, and\nomissions that could damage critical data and cause system failures. More specifically, without\nimplementing StarTeam, which contains key features needed for controlling software changes,\nthe RRPS could experience the following:\n\n   \xe2\x80\xa2   errors from changes made to the wrong versions of the software,\n   \xe2\x80\xa2   an inability to trace change requests for problem resolution and/or verification that\n       changes met requirements,\n   \xe2\x80\xa2   an inability to prevent simultaneous updates to one file,\n   \xe2\x80\xa2   errors from incorrect processing of approved changes, and\n   \xe2\x80\xa2   an inability to revert to a previous software version in the event of a serious error.\n\n\n                                                10\n\x0cRECOMMENDATION\n\n(2) We recommend that the Director, DIT, develop and implement an SCM plan for RRPS that\nincorporates the appropriate features of StarTeam.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn September 18, 2005, the Director, DIT, provided a written response to the draft report that is\npresented in Appendix VI of this report. DIT agreed with the recommendation and stated that\nthe SCM plan template was changed on July 29, 2005. DIT has drafted a new RRPS SCM plan\nusing the updated template. In addition, four of the five StarTeam capabilities identified in the\naudit will be activated in StarTeam and included in the SCM plan for RRPS. A separate\ndocument addressing the workflow control for the approval process will be prepared.\n\nThe actions taken and planned by management are responsive to the recommendation. The\nrecommendation is resolved but will remain undispositioned and open until we have determined\nthat agreed-to corrective actions have been completed and are effective.\n\nFINDING C: ACCESS REVIEWS\n\nCondition: The ISM responsible for RRPS reviewed access rights for 21 system administrators\ninvolved in the development and production of mainframe applications. However, the ISM did\nnot periodically review the access rights for the majority of RRPS users. DSC has about 2,000\nusers, and at least 465 users had both read and edit capabilities. During the audit, we asked DSC\nRegional Managers to review their staffs\xe2\x80\x99 continued need for read and edit capabilities for the\nRPPS. The feedback we received from 5 DSC regional offices indicated that 75 of the 465 users\nno longer required the edit capability. The results indicated that 72 of the 75 users no longer\nneeded access because of role changes and that 3 users were no longer employed at the FDIC.\nThe access reviews by DSC Regional Managers are summarized in Table 3.\n\nTable 3: Access Reviews by DSC Regional Managers\nRegion             Users with Read/Edit Access Rights             Users Who No Longer Need Read/Edit Access\nAtlanta                                 82                                               2\nDallas                                  122                                             23\nSan Francisco                           81                                              24\nKansas City                             93                                               7\nNew York                                87                                              19\nTotal                                  465*                                            75*\n*The total does not include the Chicago Region because the requested information was not provided. We did not\nexamine the need for the read-only capability in this audit.\n\nCause: DIR\xe2\x80\x99s ISM had not established the roles, responsibilities, and procedures for performing\nperiodic access reviews of RRPS users as required by FDIC Circular 1360.15 and the RRPS\nsecurity plan.\n\nCriteria: User access to the RRPS should be granted based on the user\xe2\x80\x99s need to perform\nassigned duties and should be terminated when no longer required. NIST SP 800-53 states that\n\n\n\n                                                     11\n\x0can effective information security program should include periodic assessments of risk, including\nthe magnitude of harm that could result from the unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information and information systems that support the operations\nand assets of an organization. Also, SP 800-53, PS-5, Personnel Transfer, states that an\norganization should review access authorizations when individuals are reassigned or transferred\nto other positions within the organization and should initiate appropriate actions such as closing\nold accounts, establishing new accounts, and changing system access authorization. SP 800-53,\nPS-4, Personnel Termination, states that an organization should terminate system access when\nemployment is terminated.\n\nFDIC Circular 1360.15, Access Control for Automated Information Systems, requires the ISM to\nreview the assignment of user rights to sensitive information systems within his/her specific\ndivision or office. The RRPS security plan states that the ISM should review RRPS user access\nrights semiannually to determine whether users need them to perform their responsibilities.\n\nEffect: Without periodic reviews of users\xe2\x80\x99 access rights, there is a risk that improper disclosure\nand/or unauthorized changes to RRPS data could be made by individuals no longer needing the\nread/edit capability. However, this access risk has been mitigated because: (1) DSC users\xe2\x80\x99 read\nand edit access is limited to the banks assigned to their respective Case Managers;6 (2) Case\nManagers are required to manually record any changes that are made and to provide comments\nin the RRPS about the changes; and (3) after the caseload7 is reconciled, the Case Managers send\nthe hardcopy logs and management reports semiannually to the Assistant Regional Director for\napproval.\n\nRECOMMENDATION\n\n(3) We recommend that the Director, DIR, establish roles, responsibilities, and procedures for\nconducting periodic reviews of all RRPS user access rights as required by FDIC Circular\n1360.15 and the RRPS security plan.\n\n\n\n\n6\n  A Case Manager performs activities related to the review, analysis, and processing of reports of examination,\napplications, investigations, and other correspondence involving their caseloads. The primary responsibilities of\nCase Managers involve assessing risk to the deposit insurance fund and directing the appropriate supervisory efforts\nto eliminate or manage such risk.\n7\n  A caseload may consist of organizations that have operations extending beyond the geographic boundaries of the\nregion to which Case Managers are assigned. Regardless of geographic location, Case Managers will be the\nprincipal supervisory contact for the FDIC's regulatory oversight activities for the banking operations of institutions\nassigned to their caseloads.\n\n\n                                                          12\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nDIR agreed with the recommendation and provided a copy of the procedures in the revised\nsecurity plan. The revised security plan included the roles, responsibilities, and procedures for\nconducting periodic reviews of all RRPS user access rights. As stated earlier, the security plan is\nexpected to be approved by October 14, 2005.\n\nManagement\xe2\x80\x99s planned action is responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective action has been completed and is effective.\n\n\n\n\n                                                13\n\x0c                                                                                                APPENDIX I\n\n                          OBJECTIVE, SCOPE, AND METHODOLOGY\nObjective\n\nThe audit objective was to determine whether the RRPS application provided an appropriate\nlevel of confidentiality, integrity, and availability through the use of cost-effective management,\npersonnel, operational, and technical controls.\n\nScope\n\nThis audit is one of three audits being performed as part of an overall review of the RRPS\nprocess. The results of the other audits, Audit of FDIC Assessments and Designated Reserve\nRatio Determinations (Assignment No. 2005-032) and Audit of the FDIC\xe2\x80\x99s Risk-Related\nInsurance Premium System (Assignment No. 2005-033), will be issued in separate reports. This\naudit covered the period from January 1, 2005 through June 30, 2005 and included the data\nupload for the financial institutions\xe2\x80\x99 December 31, 2004 Call Reports.\n\nMethodology\n\nTo accomplish our objective, we determined whether the input, output, and processing controls\nminimized the risks of errors, omissions, and unauthorized access. Specifically, we:\n\n    \xe2\x80\xa2   Obtained and reviewed documentation in support of the system development life cycle\n        for RRPS.\n    \xe2\x80\xa2   Obtained, through interviews and observation, an overview of the RRPS application and\n        interfacing systems.\n    \xe2\x80\xa2   Performed an analysis of RRPS user access accounts.\n    \xe2\x80\xa2   Interviewed DSC, DIR, and DIT staff responsible for authorizing RRPS and ViSION\n        access through the FDIC Intranet.\n    \xe2\x80\xa2   Reviewed policies, procedures, and documentation relating to user access and account\n        maintenance.\n    \xe2\x80\xa2   Reviewed the FDIC\xe2\x80\x99s policies, procedures, and practices relating to application security\n        training for RRPS.\n    \xe2\x80\xa2   Reviewed SCM policies, procedures, and practices and interviewed DIT and contractor\n        staff regarding the SCM tools and processes used by the RRPS system developers.\n    \xe2\x80\xa2   Selected a random sample of 43 institutions and compared the RRPS assessment data that\n        was modified during the July 2004 assessment period to the assessment data used by\n        AIMS II8 in order to determine the accuracy and completeness of the safety and\n        soundness and capital group data used in computing quarterly assessments.\n    \xe2\x80\xa2   Compared the institutional data provided by the FRB, OCC, and OTS for the July 2005\n        assessment period with the institutional data in the RRPS Universe database to determine\n        the completeness of the external data input process.\n\n8\n Assessments Invoicing Management System II (AIMS II) invoices financial institutions quarterly for insurance\npremiums assessed to maintain the BIF and SAIF.\n\n\n                                                       14\n\x0c                                                                                    APPENDIX I\n\n   \xe2\x80\xa2   Reviewed RRPS security plan and supporting documentation.\n   \xe2\x80\xa2   Reviewed the March 2005 user satisfaction survey of 52 respondents to determine\n       whether RRPS was meeting user needs.\n\nWe performed audit work in DIR\xe2\x80\x99s Washington, D.C., office and DIT\xe2\x80\x99s Virginia Square office.\nWe performed the audit from April through July 2005 in accordance with generally accepted\ngovernment auditing standards.\n\nInternal Controls\n\nWe performed an assessment of the RRPS internal controls, including the control environment,\nrisk assessment, control activities, information and communications, and application monitoring.\nAs discussed in the audit report, we identified control weaknesses. Most significantly, as a result\nof the FDIC\xe2\x80\x99s restructuring and transformation activities, key FDIC and contractor personnel\nhave departed. This loss of continuity could have a negative impact on the control environment\nand control activities. Keeping policies, procedures, and system documentation as current and\ncomplete as possible is critical in ensuring the adequacy of controls for system operations in a\nchanging environment.\n\nPerformance Measures\n\nIn relation to the FDIC\xe2\x80\x99s Insurance Program, the FDIC\xe2\x80\x99s 2005 Annual Performance Plan states\nthat the RRPS will be enhanced consistent with the improvements that are implemented for the\nViSION application (which houses the RRPS). The RRPS has been enhanced and is undergoing\nadditional enhancements consistent with the performance goal in the 2005 plan.\n\nReliance on Computer-based Data\n\nAs part of our audit objective, we assessed the reliability of the data in the RRPS system.\nSpecifically, we compared the data in RRPS to the data received from external sources as part of\nthe data integrity tests performed (see Appendix III). We did not compare system data to\ninternal source data because that comparison was performed under another audit assignment.\nFor purposes of this audit, the data was sufficiently reliable to support our audit conclusions.\n\n\n\n\n                                                15\n\x0c                       APPENDIX II\n\nRRPS SYSTEM OVERVIEW\n\n\n\n\n         16\n\x0c                                                                                                   APPENDIX III\n\n                                        DATA INTEGRITY TESTS*\n\nTests                 Type of         Purpose            Method                       Results\n                      Test\nEnsure all records    Audit           Completeness       Combined files from          No issues. All records submitted\nsubmitted by          Command                            regulators into a file and   by the regulators were included in\noutside regulators    Language                           compared the \xe2\x80\x9cCERT\xe2\x80\x9d          the RRPS Universe List.\nare included in the   (ACL)                              column with the\nUniverse List.                                           \xe2\x80\x9cCERT\xe2\x80\x9d column in the\n                                                         RRPS Universe List.\nLocate the blank      ACL             Completeness       Downloaded the               No issues. Found that 20 blank\n\xe2\x80\x9cRL [Reconcile-                                          Reconcilement List from      cells out of 572 total cells were\nment List] Codes\xe2\x80\x9d                                        RRPS. Used ACL to            identified. These discrepancies\nand determine why                                        calculate the number of      were resolved. Thirteen were\nthey are blank                                           blank cells.                 manually deleted because they\ncells.                                                                                were \xe2\x80\x9cother insured branches\xe2\x80\x9d not\n                                                                                      institutions. Seven institutions\n                                                                                      were additions to the Reconcile-\n                                                                                      ment List because a recent\n                                                                                      examination may change the\n                                                                                      supervisory rating. The 20 \xe2\x80\x9cRL\n                                                                                      Code\xe2\x80\x9d cells were blank because\n                                                                                      the institutions were not originally\n                                                                                      listed on the Reconcilement List.\nEnsure all records     ACL            Completeness      Filtered both lists to        No issues. Found eight\nin the Reconcile-                                       discard duplicate             institutions on the Reconcilement\nment List are part                                      records. Compared the         List that were not on the Universe\nof the Universe                                         \xe2\x80\x9cCERT\xe2\x80\x9d field in both          List. Institutions merged with\nList.                                                   lists.                        other institutions.\nEnsure that the        Code           Correctness of    Analyzed the logic of         No issue. COBOL code would\ninternal logic of      Review         Calculation       the latest version of the     correctly perform the calculations\nRRPS ensures an                                         COBOL code in                 to determine an institution\xe2\x80\x99s CG\ninstitution is                                          determining an                as required by DIR policy.\nassigned to the                                         institution\xe2\x80\x99s CG.\ncorrect Capital\nGroup (CG).\nEnsure that the CG Data               Accuracy of       Matched a statistical         The data from all 43 institutions\nand Supervisory        Matching       RRPS data         sample of 43 institutions were identical in RRPS and\nSubgroup (SS)                         extracted by      to determine if the CG        AIMS II.\ndetermined by the                     AIMS II to        and SS generated by\nRRPS were                             calculate         RRPS were used by\nextracted by                          institution       AIMS II for invoicing.\nAIMS II.                              assessments\n* The accuracy of the data input into RRPS was not tested as part of the data integrity tests in this audit because\n(1) the other systems that RRPS obtains data from included built-in edit checks and (2) we are testing the accuracy\nof data input into RRPS by DSC personnel as part of a separate, ongoing audit.\n\n\n\n\n                                                          17\n\x0c                                                                                              APPENDIX IV\n\n                SCM PLAN ELEMENTS AS DESCRIBED IN THE SOFTWARE\n                     CONFIGURATION MANAGEMENT GUIDEBOOK\n\n                                   Plan Requirement\nCM [configuration management]\nOrganization\nRoles and Responsibilities         Identify who is responsible for configuration management.\nTools/Environment                  Identify the environment and software tools that will be used for\n                                   configuration management throughout the application or product lifecycle.\nTraining                           Describe the training required to implement the configuration tools and\n                                   procedures.\nConfiguration Identification\nIdentification Methods             Describe how configuration products are to be named, marked, and\n                                   numbered. The identification scheme needs to cover hardware, system\n                                   software, Commercial-Off-The-Shelf products, and all application\n                                   development artifacts listed in the product directory structure such as plans,\n                                   models, components, test software, results and data, executables, etc.\n\n                                   Naming conventions for Endevor data sets should be described, if\n                                   applicable.\nConfiguration and Change Control\nCM Repository                      The FDIC has standardized the use of StarTeam and Endevor as the tools for\n                                   managing the CM library. The CQMS [configuration and quality\n                                   management staff] Team and the Infrastructure Services Branch are\n                                   responsible for performing nightly backups, providing for disaster recovery\n                                   and the general maintenance of the CM repositories.\n\n                                   Describe any custom folders and discuss any custom security in place.\nView and Branch Management         Describe the configuration to use multiple branches to segregate work,\n                                   parallel development, introduction of code from external parties, or\n                                   providing a gate between development and Development Integration.\nProject Baselines                  A baseline is a \xe2\x80\x9csnapshot\xe2\x80\x9d in time of one version of each artifact in the\n                                   project repository. A baseline is the official standard on which subsequent\n                                   work is based and to which authorized changes are made. The three main\n                                   reasons for creating baselines are reproducibility, traceability, and reporting.\n                                   Baselines also play a role in determining when an artifact needs to come\n                                   under formal configuration and change control.\nDocument Processing and Approval   Documents that have a review level of either Formal \xe2\x80\x93 External or Formal \xe2\x80\x93\n                                   Internal require a review cycle and a documented review record.\nChange Request Processing and      The application will follow the Change Request processes and procedures in\nApproval                           StarTeam. Describe any variation of the process by which problems and\n                                   changes are submitted, reviewed, and dispositioned.\nChange Control Board               Describes the membership and procedures for processing change requests.\nRelease Process                    Describe what is in the release, who it is for, and whether there are any\n                                   known problems, and installation instructions.\n\n\n\n\n                                                   18\n\x0c                                                                                             APPENDIX IV\n\nStatus Accounting\nReports                             Describe the content, format, and purpose of the requested reports and\n                                    configuration audits. Reports are used to assess the \xe2\x80\x9cquality of the product\xe2\x80\x9d\n                                    at any given time of the project or product life cycle. Reporting on defects\n                                    based on change requests may provide some useful quality indicators and\n                                    thereby alert management and developers to particularly critical areas of\n                                    development.\nConfiguration Evaluations           Configuration evaluations are conducted to confirm that SCM activities and\n                                    processes performed for an application are in compliance with FDIC\n                                    standards and the resulting baselines and documentation are accurate.\n\nPhysical Configuration Audit        At the end of each iteration, the Project Manager or their representative will\n                                    conduct a physical configuration audit to confirm that:\n                                         \xe2\x80\xa2 the change requests targeted for the iteration deployment are\n                                             documented properly,\n                                         \xe2\x80\xa2 the artifacts changed against those CRs [change requests] are linked\n                                             and that all appropriate artifacts are correctly labeled,\n                                         \xe2\x80\xa2 and the artifacts specified in the Development Case are either\n                                             created, revised, or finalized.\n\n                                    Describe any additional audits that will be conducted for the application.\n                                    Reasons for doing so may involve regulatory requirements.\nFunctional Configuration Audit      Describes audit procedures to confirm that a baseline meets the requirements\n                                    targeted for the baseline.\nMilestones                          Identify the internal and customer milestones related to the project or\n                                    product CM effort. This section should include details on when the CM\n                                    Plan itself is to be updated.\nSubcontractor and Vendor Software   Describe how software from outside of application environment will be\nControl                             incorporated and reference any third party CM plans.\n\n\n\n\n                                                    19\n\x0c                       Appendix V\n\n\n\nCORPORATION COMMENTS\n\x0c     APPENDIX V\n\n\n\n\n21\n\x0cAppendix V\n\x0c     APPENDIX V\n\n\n\n\n23\n\x0c                                                                                                                                                APPENDIX VI\n\n                                                MANAGEMENT RESPONSE TO RECOMMENDATIONS\n     This table presents the management response on the recommendations in our report and the status of the recommendations as of the\n     date of report issuance.\n\n                                                                                                                                                           Open\n      Rec.                                                                     Expected            Monetary      Resolved:a      Dispositioned:b            or\n     Number         Corrective Action: Taken or Planned/Status              Completion Date        Benefits      Yes or No         Yes or No              Closedc\n                   The security plan has been updated to correct            October 14, 2005         N/A            Yes               No                   Open\n           1       the deficiencies identified during the audit.\n                   Approval of updated security plan is needed.\n                   The SCM Plan has been drafted, and the                   October 14, 2005          N/A            Yes                No                 Open\n           2       appropriate StarTeam capabilities will be\n24\n\n\n\n\n                   implemented. Approval of the SCM Plan and\n                   StarTeam implementation is pending.\n                   The roles, responsibilities, and procedures for          October 14, 2005          N/A            Yes                No                 Open\n           3       reviewing user access accounts are included in\n                   the updated security plan. Approval of the\n                   updated security plan is needed.\n     a\n         Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                   (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                   (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                       as management provides an amount.\n     b\n       Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved\n     through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n     recommendation.\n     c\n         Once the OIG dispositions the recommendation, it can then be closed.\n\x0c"